Why There’s No Such Thing as a “Harmless” Data Breach

Republished from CU Weekly dated February 21, 2020. By James McCabe.

Over the past year, we have seen a continued incline in data breach events. A few years ago, it was not uncommon for a data breach to make news headlines once every month or two. In 2019, that began to change. The public announcement of a new data breach has become a weekly occurrence. That's because there was a 17% increase in data breach events in 2019 over 2018.

Not too surprisingly, 2020 has started with a series of breach announcements, which is indicating another record year for attacks. But, in addition to the increased frequency of breach events, the growing number of breaches involving "harmless" data is another notable trend that many people have shrugged off as just being annoying. Breaches like the one from Microsoft, which exposed 250 million customer records, didn't alarm as many people because it lacked the SSNs, birth dates, and credit card data that have impacted other breaches, such as those from the healthcare industry.

The recent wave of data breach activities that involve data such as email addresses, mailing addresses, phone numbers, and passwords are the breaches that can be the most dangerous because they're the ones that many consumers ignore and fail to react proactively. Many consumers (your members) do not realize that a non-financial data breach can be just as detrimental because a hacker only needs a small bit of personal data to cause havoc on someone's identity.

Your members need to be aware that criminals are keenly interested in this "non-financial" data to allow them access to more critical data. For example, the stolen Instagram passwords of 419 million users could be the gateway to financial and other sensitive accounts since over 60% of adults use the same login credentials for multiple accounts, and 44% of consumers change their passwords once a year or less.

Hackers also use inconsequential data from breaches such as PhotoSquared App, Estée Lauder, and Arizona Department of Education to round out the data that they previously collected from the same individuals. The breach events of Equifax and Capital One exposed almost every adult (147+ million) US citizen's social security number. Having a closer to complete data file on a person allows criminals to do more damage, which is why there has been such a dramatic increase in New Account and Account Takeover Fraud in the past five years (138% higher in 2019 than in 2014).

Credit Unions have a significant Member-centric focus that sets them apart from other financial institutions. So wouldn’t it be credit union-centric to provide members with education, awareness, and protective services against ID theft & fraud events, unlike other financial institutions? Fighting the ever-increasing complacency of consumers (members) can add another differentiating factor for your credit union. Hundreds of credit unions are implementing value- rich ID theft recovery & monitoring programs for members that set them apart in ways that enhance member engagement and can also generate non-interest income.

​

Members are often confused and bewildered about how to combat the risks that they know they are facing with the rapid advancement of data technologies. Cell phones and other mobile devices are especially a concern since they are typically the storing mechanism for everything about an individual. This is particularly true of the Millennial generation. Now is the opportune time for credit unions to investigate the introduction of member protective services and education/awareness programs that will help members protect ALL of their data - even their seemingly "harmless" personal information. Because as we know, there's no such thing as a "harmless" data breach.